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The invention claimed is: 

1 1. A method comprising: 

2 performing, at a client, to outgoing packets having the client's private 

3 source IP address and generalized port number (GPN) and a protocol not 

4 directly supported by a network address translator (NAT) at which the client's 

5 private source IP address and GPN are translated to a NATs global source IP 

6 address and GPN, respectively, the functions of an Application Layer Gateway 

7 (ALG) that need to be implemented in association with the NATs translations. 

1 2. A method comprising: 

2 performing, at a client, to incoming packets sent to a network address 

3 translator's (NATs) global destination IP address and generalized port number 

4 (GPN) and having a protocol not directly supported by the NAT at which the 

5 NATs global destination IP address and GPN are translated to the client's 

6 private destination IP address and GPN, respectively, the functions of an 

7 Application Layer Gateway (ALG) that need to be implemented in association 

8 with the NAT's translations. 

1 3. A method comprising: 

2 modifying, at a client, outgoing packets having the client's private source 

3 IP address and generalized port number (GPN) and a protocol not directly 

4 supported by a network address translator (NAT) at which the client's private 

5 source IP address and GPN are translated to the NATs global source IP 

6 address and GPN, respectively, the packets being modified so as to pre- 

7 compensate for the effects on the packets of the IP address and GPN 

8 translations. 

1 4. The method of claim 3 wherein modifying the packets comprises 

2 modifying a TCP or UDP checksum in a packet's TCP or UDP header to account 

3 for the IP address and TCP or UDP source port number translations. 
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1 5. The method of claim 4 wherein modifying the checksum comprises 

2 adding to the TCP or UDP checksum the difference between the global and 

3 private source IP addresses, and the difference between global and private TCP 

4 or UDP source port numbers. 

1 6. The method of claim 3 wherein the protocol is an authenticating and/or 

2 encrypting-decrypting AH or ESP IPSec security protocol in a tunnel or a 

3 transport mode, and modifying the packets comprises: 

4 before authentication and/or encryption, in the transport mode, replacing 

5 the client's source port number with a global port number, or in the tunnel mode, 

6 replacing an encapsulated client's source IP address and port number by the 
p 7 NATs global IP address and port number; and 

m 8 adding to a TCP or UDP checksum in a packet's TCP or UDP header, the 

9 difference between the global and private source IP addresses, and the 

rJlO difference between global and private TCP or UDP source port numbers. 
1 7. The method of claim 6 further comprising processing any necessary 

% 2 Application Layer Protocol (ALG). 

1 y 1 8. The method of claim 7 further comprising, for the AH protocol, 

Q 2 computing each packet's authentication data as if the source IP address were 

3 equal to the NAT'S global IP address. 

1 9. A method comprising: 

2 modifying, at a client, incoming packets sent to a network address 



3 translator's (NAT's) global destination IP address and generalized port number 

4 (GPN) and having a protocol not directly supported by the NAT at which the 

5 NATs global destination IP address and GPN are translated to the client's 

6 private destination IP address and GPN, the packets being modified so as to 

7 post-compensate for the effects on the packets of the IP address and GPN 

8 translations. 
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1 1 0. The method of claim 9 wherein modifying the packets comprises 

2 modifying a TCP or UDP checksum in a packet's TCP or UDP header to account 

3 for the destination IP address and TCP or UDP destination port number 

4 translations. 

1 11. The method of claim 10 wherein modifying the checksum comprises 

2 subtracting from the TCP or UDP checksum the difference between the global 

3 and private destination IP addresses, and the difference between the global and 

4 private TCP or UDP destination port numbers. 

1 12. The method of claim 9 wherein the protocol is an authenticating 

2 and/or encrypting-decrypting AH or ESP IPSec security protocol in a tunnel or a 
;3 3 transport mode, and modifying the packets comprises: 

m 4 after authentication and/or decryption, in the transport mode, replacing the 

m 5 NATs global destination port number with the clients private port number, or in 

y 6 the tunnel mode, replacing in a decapsulated packet the NATs global 

"~ 7 destination IP address and port number by the client's private IP address and 

S 8 port number; and 

;j! 9 subtracting from a TCP or UDP checksum in a TCP or UDP header, the 

;3o difference between the global and private destination IP addresses, and the 

1 1 difference between the global and private TCP or UDP destination port numbers. 

1 13. The method of claim 12 further comprising processing any necessary 

2 Application Layer Gateway (ALG) after authentication and/or decryption. 

1 14. The method of claim 13 further comprising, for the AH protocol, 

2 computing each packet's authentication data as if the destination IP address 

3 were equal to the NATs global IP address. 

1 15. Apparatus at a client comprising: 

2 means for modifying packets having the client's private source IP address 

3 and generalized port number (GPN) and having a protocol not directly supported 
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4 by a network address translator (NAT) at which the clients private source IP 

5 address and GPN are translated to the NATs global source IP address and 

6 GPN, respectively, so as to pre-compensate for the effects on the packets of the 

7 IP address and GPN translations; and 

8 means for sending the packets to the NAT. 

1 16. The apparatus in accordance with claim 15 wherein the modifying 

2 means comprises means for modifying a TCP or UDP checksum in a TCP or 

3 UDP header in the packets to account for the IP address and TCP or UDP 

4 source port number translations. 

1 17. The apparatus in accordance with claim 16 wherein the means for 



□ 2 modifying a TCP or UDP checksum comprises means for adding to the TCP or 

m 3 UDP checksum the difference between the global and private source IP 

i:g 4 addresses, and the difference between global and private TCP or UDP source 

Q 5 port numbers. 



7 1 18. The apparatus of claim 15 wherein the protocol is an authenticating 

•sis 

; 3 2 and/or encrypting-decrypting AH or ESP IPSec security protocol in a tunnel or a 

;. j 3 transport mode, and the means for modifying the packets comprises: 

y 4 means for, before authentication and/or encryption, in the transport mode, 

5 replacing the client's source port number with a global port number, or in the 

6 tunnel mode, replacing an encapsulated client's source IP address and port 

7 number by the NATs global IP address and port number; and 

8 means for adding to a TCP or UDP checksum in a packet's TCP or UDP 

9 header, the difference between the global and private source IP addresses, and 
10 the difference between global and private TCP or UDP source port numbers. 

1 19. The apparatus of claim 18 further comprising means for processing 

2 any necessary Application Layer Protocol (ALG). 
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1 20. The apparatus of claim 1 9 further comprising means for computing 

2 each packet's authentication data as if the source IP address were equal to the 

3 NATs global IP address, for the AH protocol. 

1 21 . Apparatus at a client comprising: 

2 means for receiving packets sent to a network address translator's 

3 (NATs) global destination IP address and generalized port number and having a 

4 protocol not directly supported by the NAT at which the NATs global destination 

5 IP address and GPN are translated to the client's private destination IP address 

6 and GPN, respectively; and 

7 means for modifying the packets so as to post-compensate for the effects 

8 on the packets of the IP address GPN translations. 

1 22. The apparatus of claim 21 wherein the modifying means comprises 

2 means for modifying a TCP or UDP checksum in a TCP or UDP header in the 

3 packets to account for the destination IP address and TCP or UDP destination 

4 port number translations. 

1 23. The apparatus of claim 22 wherein the means for modifying a TCP or 

2 UDP checksum comprises means for subtracting from the TCP or UDP 

3 checksum the difference between the global and private destination IP 

4 addresses, and the difference between global and private TCP or UDP 

5 destination port numbers. 

1 24. The apparatus of claim 21 wherein the protocol is an authenticating 

2 and/or encrypting-decrypting AH or ESP IPSec security protocol in a tunnel or a 

3 transport mode, and the means for modifying the packets comprises: 

4 means for, after authentication and/or decryption, in the transport mode, 

5 replacing the NATs global destination port number with the client's private port 

6 number, or in the tunnel mode, replacing in a decapsulated packet the NATs 
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7 global destination IP address and port number by the client's private IP address 

8 and port number; and 

9 means for subtracting from a TCP or UDP checksum in a TCP or UDP 

10 header, the difference between the global and private destination IP addresses, 

1 1 and the difference between the global and private TCP or UDP destination port 

12 numbers. 

1 25. The apparatus of claim 24 further comprising means for processing 

2 any necessary Application Layer Protocol (ALG). 

1 26. The apparatus of claim 25 further comprising means for computing 

2 each packet's authentication data as if the destination IP address were equal to 

3 the NATs global IP address, for the AH protocol. 

1 27. Apparatus at a client comprising: 

2 means for performing the functions of an Application Layer Gateway 

3 (ALG) that need to be implemented in conjunction with a network address 

4 translator's (NATs) translation of packets that are not directly supported by the 

5 NAT at which the client's private source IP address and generalized port number 

6 (GPN) are translated to the NATs global IP address and GPN; and 

7 means for sending the packets on which the functions of the ALG have 

8 been performed to the NAT. 

1 28. Apparatus at a client comprising: 

2 means for receiving packets sent to a network address translator's 

3 (NATs) global destination IP address and generalized port number (GPN) and 

4 having a protocol not directly supported by the NAT at which the NATs global 

5 destination IP address and GPN are translated to the client's private destination 

6 IP address and GPN, respectively; and 

7 means for performing the functions of an Application Layer Gateway 

8 (ALG) that need to be implemented in association with the NATs translations. 
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1 29. A computer readable media tangibly embodying a program of 

2 instructions executable by a computer to perform a method at a client, the 

3 method comprising: 

4 modifying outgoing packets having the client's private source IP address 



5 and generalized port number (GPN) and a protocol not directly supported by a 

6 network address translator (NAT) at which the client's private source IP address 

7 and GPN are translated to the NATs global source IP address and GPN, 

8 respectively, the packets being modified so as to pre-compensate for the effects 

9 on the packets of the IP address and GPN translations. 



1 30. The media of claim 29 where in the method modifying the packets 

q2 comprises modifying a TCP or UDP checksum in a packet's TCP or UDP header 

m.3 to account for the IP address and TCP or UDP source port number translations. 

31 . The media of claim 29 where in the method modifying the checksum 

y2 comprises adding to the TCP or UDP checksum the difference between the 

; y 3 global and private source IP addresses, and the difference between global and 

\Z4 private TCP or UDP source port numbers. 

[Ul 32. The media of claim 29 where in the method the protocol is an 

C32 authenticating and/or encrypting-decrypting AH or ESP IPSec security protocol in 

3 a tunnel or a transport mode, and modifying the packets comprises: 

4 before authentication and/or encryption, in the transport mode, replacing 

5 the client's source port number with a global port number, or in the tunnel mode, 

6 replacing an encapsulated client's source IP address and port number by the 

7 NAT'S global IP address and port number; and 

8 adding to a TCP or UDP checksum in a packet's TCP or UDP 

9 header, the difference between the global and private source IP addresses, and 

10 the difference between global and private TCP or UDP source port numbers. 
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1 33. The media of claim 29 wherein the method further comprises 

2 processing any necessary Application Layer Protocol (ALG). 

1 34. The media of claim 33 wherein the method further comprises, for the 

2 AH protocol, computing each packet's authentication data as if the source IP 

3 address were equal to the NATs global IP address. 

1 35. A computer readable media tangibly embodying a program of 

2 instructions executable by a computer to perform a method at a client, the 

3 method comprising: 

4 modifying incoming packets sent to a network address translator's (NATs) 



5 global destination IP address and generalized port number (GPN) and having a 

6 protocol not directly supported by the NAT at which the NATs global destination 

7 IP address and GPN are translated to the client's private destination IP address 

8 and GPN, the packets being modified so as to post-compensate for the effects 

9 on the packets of the IP address and GPN translations. 



1 36. The media of claim 35 where in the method modifying the packets 

2 comprises modifying a TCP or UDP checksum in a packet's TCP or UDP header 

3 to account for the destination IP address and TCP or UDP destination port 

4 number translations. 

1 37. The media of claim 36 where in the method modifying the checksum 

2 comprises subtracting from the TCP or UDP checksum the difference between 

3 the global and private destination IP addresses, and the difference between the 

4 global and private TCP or UDP destination port numbers. 

1 38. The media of claim 35 where in the method the protocol is an 

2 authenticating and/or encrypting-decrypting AH or ESP IPSec security protocol in 

3 a tunnel or a transport mode, and modifying the packets comprises: 

4 after authentication and/or decryption, in the transport mode, replacing the 

5 NAT'S global destination port number with the client's private port number, or in 
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6 the tunnel mode, replacing in a decapsulated packet the NATs global 

7 destination IP address and port number by the client's private IP address and 

8 port number; and 

9 subtracting from a TCP or UDP checksum in a TCP or UDP header, the 

10 difference between the global and private destination IP addresses, and the 

1 1 difference between the global and private TCP or UDP destination port numbers. 

1 39. The media of claim 38 wherein the method further comprises 

2 processing any necessary Application Layer Gateway (ALG) after authentication 

3 and/or decryption. 

1 40. The media of claim 39 wherein the method further comprises, for the 

2 AH protocol, computing each packet's authentication data as if the destination IP 

3 address were equal to the NATs global IP address. 
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